From 59692e7651435a037417b69ff8c9ac58f4bc1a98 Mon Sep 17 00:00:00 2001 From: Toast Date: Tue, 29 Oct 2024 11:50:08 +0100 Subject: [PATCH 1/8] Server/caddy: open http/s ports on firewall --- roles/server/caddy.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix index 71029b9..b7b049e 100644 --- a/roles/server/caddy.nix +++ b/roles/server/caddy.nix @@ -58,4 +58,5 @@ in { services.caddy.serviceConfig.RestartSec = lib.mkForce "120s"; }; programs.rust-motd.settings.service_status.Caddy = "caddy"; + networking.firewall.allowedTCPPorts = [443 80]; } From dfd094ef674786babd9c18f4aafc07c3915241d2 Mon Sep 17 00:00:00 2001 From: Toast Date: Tue, 29 Oct 2024 11:50:27 +0100 Subject: [PATCH 2/8] Server: add headscale --- roles/server/default.nix | 1 + roles/server/headscale.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/server/headscale.nix diff --git a/roles/server/default.nix b/roles/server/default.nix index d1e29aa..4ba0396 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -11,6 +11,7 @@ ./ddclient.nix ./beep.nix ./tailscale.nix + ./headscale.nix ./caddy.nix ./dns.nix ./rust_motd.nix diff --git a/roles/server/headscale.nix b/roles/server/headscale.nix new file mode 100644 index 0000000..fb72484 --- /dev/null +++ b/roles/server/headscale.nix @@ -0,0 +1,16 @@ +{...}: { + services.headscale = { + enable = true; + settings = { + server_url = "https://headscale.toast003.xyz"; + }; + }; + services.caddy = { + virtualHosts.headscale = { + hostName = "headscale.toast003.xyz"; + extraConfig = '' + reverse_proxy localhost:8080 + ''; + }; + }; +} From 37f3b3fc6099a56959dd15ce5688c3cbeca2cd60 Mon Sep 17 00:00:00 2001 From: Toast Date: Thu, 31 Oct 2024 00:23:25 +0100 Subject: [PATCH 3/8] Server/headscale: set up ip prefixes --- roles/server/headscale.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/server/headscale.nix b/roles/server/headscale.nix index fb72484..7009922 100644 --- a/roles/server/headscale.nix +++ b/roles/server/headscale.nix @@ -3,6 +3,9 @@ enable = true; settings = { server_url = "https://headscale.toast003.xyz"; + ip_prefixes = [ + "100.100.0.0/16" + ]; }; }; services.caddy = { From d39890589b245357e8f80b850bbb6192dde51ac1 Mon Sep 17 00:00:00 2001 From: Toast Date: Thu, 31 Oct 2024 00:39:53 +0100 Subject: [PATCH 4/8] Server/caddy: update server IP --- roles/server/caddy.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix index b7b049e..83cba86 100644 --- a/roles/server/caddy.nix +++ b/roles/server/caddy.nix @@ -23,7 +23,9 @@ in { extraConfig = '' (tailscale) { tls internal - bind 100.73.96.48 + # Old tailscale IP + # bind 100.73.96.48 + bind 100.100.0.1 } ''; virtualHosts = { From 492d870980ed2b9e6315713c2023a194679e5f33 Mon Sep 17 00:00:00 2001 From: Toast Date: Thu, 31 Oct 2024 16:20:08 +0100 Subject: [PATCH 5/8] Server/headscale: setup dns --- roles/server/headscale.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/server/headscale.nix b/roles/server/headscale.nix index 7009922..bfd803f 100644 --- a/roles/server/headscale.nix +++ b/roles/server/headscale.nix @@ -6,6 +6,10 @@ ip_prefixes = [ "100.100.0.0/16" ]; + dns_config = { + base_domain = "tailscale"; + nameservers = ["9.9.9.9"]; + }; }; }; services.caddy = { From c7d2db076b7237a84dd24c8b2a43845902d41a67 Mon Sep 17 00:00:00 2001 From: Toast Date: Sat, 2 Nov 2024 18:14:28 +0100 Subject: [PATCH 6/8] Server: get rid of dnsmasq I can add custom records to headscale's dns settings, so I don't need dnsmasq anymore. This will also bring back resolved's stub --- roles/server/default.nix | 1 - roles/server/dns.nix | 42 ---------------------------------------- 2 files changed, 43 deletions(-) delete mode 100644 roles/server/dns.nix diff --git a/roles/server/default.nix b/roles/server/default.nix index 4ba0396..bc1a6ea 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -13,7 +13,6 @@ ./tailscale.nix ./headscale.nix ./caddy.nix - ./dns.nix ./rust_motd.nix ./minecraft.nix ]; diff --git a/roles/server/dns.nix b/roles/server/dns.nix deleted file mode 100644 index 1e446e5..0000000 --- a/roles/server/dns.nix +++ /dev/null @@ -1,42 +0,0 @@ -{...}: { - services.dnsmasq = { - enable = true; - - # Only using this for tailscale IPs, so better to let tailscale itself deal with it - resolveLocalQueries = false; - - settings = { - listen-address = ["100.73.96.48"]; - - /* - Dnsmasq tries to use the tailscale dns server, which is bad cause that points to dnsmasq - From the little testing I have done it seems to not cause any issues, but better to be safe - than sorry :P - */ - dns-loop-detect = true; - - host-record = [ - "winmax2,winmax2.tailscale,100.106.73.20" - "everest,everest.tailscale,100.73.96.48" - "archie,archie.tailscale,100.113.139.93" - "steamdeck,steamdeck.tailscale,100.85.48.85" - "surfacego,surfacego.tailscale,100.96.92.13" - ]; - - # If this isn't set a cname that targets a host might return the wrong ip - localise-queries = true; - ## IPv6 is not a thing in Spain so I'm guaranteed to not use it - filter-AAAA = true; - domain = "tailscale"; - domain-needed = true; - }; - }; - - programs.rust-motd.settings.service_status.dnsmasq = "dnsmasq"; - - # Dnsmasq conflicts with the resolved dns stub listener - services.resolved.extraConfig = '' - [Resolve] - DNSStubListener=no - ''; -} From 0e66939ab1c128a71571ca3321684bf6f633c01e Mon Sep 17 00:00:00 2001 From: Toast Date: Sun, 3 Nov 2024 01:18:39 +0100 Subject: [PATCH 7/8] Server: replace dnsmasq cnames with headscale extra dns records --- roles/server/caddy.nix | 15 +++++++++++---- roles/server/forgejo.nix | 10 ++++++++-- roles/server/syncthing.nix | 10 ++++++++-- roles/server/transmission.nix | 10 ++++++++-- 4 files changed, 35 insertions(+), 10 deletions(-) diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix index 83cba86..439f231 100644 --- a/roles/server/caddy.nix +++ b/roles/server/caddy.nix @@ -47,10 +47,17 @@ in { }; }; }; - services.dnsmasq.settings.cname = [ - "${manualHostname},everest" - "${downloadsHostname},everest" - ]; + services.headscale.settings.dns_config.extra_records = let + makeRecords = builtins.map (recordName: { + name = recordName; + type = "A"; + value = "100.100.0.1"; + }); + in + makeRecords [ + manualHostname + downloadsHostname + ]; systemd = { services.caddy.after = ["tailscaled.service"]; # We have somewhat frequent power outages, and our ISP router takes diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix index 65fbf83..52b6847 100644 --- a/roles/server/forgejo.nix +++ b/roles/server/forgejo.nix @@ -44,8 +44,14 @@ in { }; }; - # Add a cname for forgejo - services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"]; + # Add a record for forgejo + services.headscale.settings.dns_config.extra_records = [ + { + name = "git.everest.tailscale"; + type = "A"; + value = "100.100.0.1"; + } + ]; # Set up caddy as the reverse proxy for Forgejo services.caddy.virtualHosts.forgejo = { diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix index e6409a9..74caa4b 100755 --- a/roles/server/syncthing.nix +++ b/roles/server/syncthing.nix @@ -39,8 +39,14 @@ AmbientCapabilities = "CAP_CHOWN CAP_FOWNER"; }; - # Add a cname for syncthing - services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"]; + # Add a record for syncthing + services.headscale.settings.dns_config.extra_records = [ + { + name = "sync.everest.tailscale"; + type = "A"; + value = "100.100.0.1"; + } + ]; # Set up caddy as the reverse proxy for syncthing services.caddy.virtualHosts.syncthing = { diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix index e52f286..a1aafdb 100755 --- a/roles/server/transmission.nix +++ b/roles/server/transmission.nix @@ -37,8 +37,14 @@ in { ''; }; - # Add a cname for transmission - services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"]; + # Add a record for transmission + services.headscale.settings.dns_config.extra_records = [ + { + name = "transmission.everest.tailscale"; + type = "A"; + value = "100.100.0.1"; + } + ]; # Set up caddy as the reverse proxy for transmission services.caddy.virtualHosts.transmission = { From 34e1dd0bfca835083c366b9a3ae9c065d8fa2bd6 Mon Sep 17 00:00:00 2001 From: Toast Date: Sun, 3 Nov 2024 01:19:30 +0100 Subject: [PATCH 8/8] Server/headscale: override local dns For some reason extra dns records don't apply without the override --- roles/server/headscale.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server/headscale.nix b/roles/server/headscale.nix index bfd803f..4575327 100644 --- a/roles/server/headscale.nix +++ b/roles/server/headscale.nix @@ -9,6 +9,7 @@ dns_config = { base_domain = "tailscale"; nameservers = ["9.9.9.9"]; + override_local_dns = true; }; }; };